ISO27552: Privacy extension to IS027001 – a look at the draft

News and information from the Advent IM team.

Advent IM, ISO27552, privacy standard consulting

The objective of ISO/IEC 27552 is to expand the existing ISMS with privacy-specific controls, creating PIMS to enable effective privacy management within an organisation. Robust PIMS implementation can bring many potential benefits for Personal Information Controllers and Processors.

Firstly, managing compliance to multiple privacy regulations and policies from multiple authorities can be difficult especially when regulations are not organised in ways to enhance implementation by Personal Information Controllers and Processors. Within Annex C of the standard, one single control is often able to account for multiple requirements from General Data Protection Regulation (GDPR). This approach significantly reduces the complexity in meeting the applicable regulations. (Annex C provides a helpful mapping of the clauses of 27552 to the Articles of GDPR).

Secondly, Data Protection Officers are expected to provide evidence to senior management and organisation board members on their progress in terms of their privacy regulatory compliance. Compliance evidence organised based on PIMS and, potentially, its certification can provide the necessary assurance to senior management and board members that applicable privacy requirements are met.

Thirdly, PIMS certification can be valuable in communicating privacy compliance to customers and partners. Personal Information Controllers generally demand evidence from Personal Information Processors that the Personal Information Processors’ privacy management system adheres to applicable privacy requirements. A uniform evidence framework based on international standard can greatly simplify this communication of compliance transparency, especially when the evidence is validated by an accredited third-party auditor. This necessity in communication of compliance transparency is also critical for strategic business decisions such as mergers and acquisitions and co-controllers’ scenarios involving data sharing agreements.

Lastly, PIMS certification can potentially serve to signal trustworthiness to the public.

The current draft expires at the end of February. Keep this website bookmarked for further info and don’t forget we will be offering consulting for this important standard via our dedicated page. We are already taking pre-launch meeting bookings so get in touch. 0121 559 6699 m

Share this Post